diff options
Diffstat (limited to 'src/usr/secureboot')
| -rw-r--r-- | src/usr/secureboot/HBconfig | 4 | ||||
| -rw-r--r-- | src/usr/secureboot/base/header.C | 4 | ||||
| -rw-r--r-- | src/usr/secureboot/base/securerommgr.C | 99 | ||||
| -rw-r--r-- | src/usr/secureboot/base/securerommgr.H | 8 | ||||
| -rw-r--r-- | src/usr/secureboot/base/service.C | 23 | ||||
| -rw-r--r-- | src/usr/secureboot/base/settings.C | 21 | ||||
| -rw-r--r-- | src/usr/secureboot/runtime/test/testsecureboot_rt.H | 62 |
7 files changed, 178 insertions, 43 deletions
diff --git a/src/usr/secureboot/HBconfig b/src/usr/secureboot/HBconfig index 425593e74..7a6c29cf3 100644 --- a/src/usr/secureboot/HBconfig +++ b/src/usr/secureboot/HBconfig @@ -4,9 +4,9 @@ config SECUREBOOT help Enable and enforce secure boot -# @TODO RTC:155374 Remove this in the future +# @TODO RTC:178520 Remove this in the future config SECUREBOOT_BEST_EFFORT - default y if SECUREBOOT + default n depends on SECUREBOOT help Enable Best effort Secureboot. Should only be used for diff --git a/src/usr/secureboot/base/header.C b/src/usr/secureboot/base/header.C index 2f62f804c..f2c41069c 100644 --- a/src/usr/secureboot/base/header.C +++ b/src/usr/secureboot/base/header.C @@ -36,7 +36,7 @@ namespace SECUREBOOT return Singleton<Header>::instance(); } - // @TODO RTC 168021 Converge on a single method of reading the secure + // @TODO RTC 178520 Converge on a single method of reading the secure // header void Header::loadSecurely() { @@ -49,7 +49,7 @@ namespace SECUREBOOT _set(pSecureHeader); } - // @TODO RTC 168021 Converge on a single method of reading the secure + // @TODO RTC 178520 Converge on a single method of reading the secure // header void Header::setNonSecurely( const void* const i_pHeader) diff --git a/src/usr/secureboot/base/securerommgr.C b/src/usr/secureboot/base/securerommgr.C index dc8e6155c..d596d5c64 100644 --- a/src/usr/secureboot/base/securerommgr.C +++ b/src/usr/secureboot/base/securerommgr.C @@ -64,6 +64,11 @@ errlHndl_t initializeSecureRomManager(void) return Singleton<SecureRomManager>::instance().initialize(); } +bool secureRomValidPolicy() +{ + return Singleton<SecureRomManager>::instance().secureRomValidPolicy(); +} + /** * @brief Verify Signed Container */ @@ -71,8 +76,7 @@ errlHndl_t verifyContainer(void * i_container, const SHA512_t* i_hwKeyHash) { errlHndl_t l_errl = nullptr; - // @TODO RTC:170136 remove isValid check - if(Singleton<SecureRomManager>::instance().isValid()) + if(Singleton<SecureRomManager>::instance().secureRomValidPolicy()) { l_errl = Singleton<SecureRomManager>::instance(). verifyContainer(i_container,i_hwKeyHash); @@ -87,12 +91,15 @@ errlHndl_t verifyContainer(void * i_container, const SHA512_t* i_hwKeyHash) */ void hashBlob(const void * i_blob, size_t i_size, SHA512_t o_buf) { - // @TODO RTC:170136 remove isValid check - if(Singleton<SecureRomManager>::instance().isValid()) + if(Singleton<SecureRomManager>::instance().secureRomValidPolicy()) { return Singleton<SecureRomManager>::instance(). hashBlob(i_blob, i_size, o_buf); } + else + { + memset(o_buf, 0, sizeof(SHA512_t)); + } } /** @@ -101,8 +108,7 @@ void hashBlob(const void * i_blob, size_t i_size, SHA512_t o_buf) */ void hashConcatBlobs(const blobPair_t &i_blobs, SHA512_t o_buf) { - // @TODO RTC:170136 remove isValid check - if(Singleton<SecureRomManager>::instance().isValid()) + if(Singleton<SecureRomManager>::instance().secureRomValidPolicy()) { return Singleton<SecureRomManager>::instance(). hashConcatBlobs(i_blobs, o_buf); @@ -115,7 +121,7 @@ void hashConcatBlobs(const blobPair_t &i_blobs, SHA512_t o_buf) void getHwKeyHash(SHA512_t o_hash) { // @TODO RTC:170136 remove isValid check - if(Singleton<SecureRomManager>::instance().isValid()) + if(Singleton<SecureRomManager>::instance().secureRomValidPolicy()) { return Singleton<SecureRomManager>::instance().getHwKeyHash(o_hash); } @@ -148,31 +154,54 @@ using namespace SECUREBOOT; */ errlHndl_t SecureRomManager::initialize() { - TRACDCOMP(g_trac_secure,ENTER_MRK"SecureRomManager::initialize()"); + TRACFCOMP(g_trac_secure,ENTER_MRK"SecureRomManager::initialize()"); errlHndl_t l_errl = nullptr; uint32_t l_rc = 0; do{ - // @TODO RTC:170136 terminate in initialize if the securebit is on - // and code is not valid. Remove all isValid() checks in rest of - // SecureRomManager. - // Check if secureboot data is valid. + // Check if bootloader to hostboot data is valid. iv_secureromValid = g_BlToHbDataManager.isValid(); + if (!iv_secureromValid) { - // The Secure ROM has already been initialized - TRACDCOMP(g_trac_secure,"SecureRomManager::initialize(): SecureROM invalid, skipping functionality"); - + // Allow skipping functionality if secure rom is invalid if best + // effort policy enabled + if(SECUREBOOT::bestEffortPolicy()) + { + TRACFCOMP(g_trac_secure,INFO_MRK"SecureRomManager::initialize(): SecureROM invalid, skipping functionality"); #ifdef CONFIG_CONSOLE - CONSOLE::displayf(SECURE_COMP_NAME, "SecureROM invalid - skipping functionality"); + CONSOLE::displayf(SECURE_COMP_NAME, "SecureROM invalid - skipping functionality"); #endif - - // Can skip the rest of this function - break; + printk("SecureRomManager SecureROM invalid -- skipping functionality\n"); + // Can skip the rest of this function + break; + } + // Otherwise enforce securerom to be valid. + else + { + TRACFCOMP(g_trac_secure,ERR_MRK"SecureRomManager::initialize(): SecureROM invalid"); +#ifdef CONFIG_CONSOLE + CONSOLE::displayf(SECURE_COMP_NAME, ERR_MRK"SecureROM invalid"); +#endif + printk("ERR> SecureRomManager SecureROM invalid\n"); + /*@ + * @errortype + * @moduleid SECUREBOOT::MOD_SECURE_ROM_INIT + * @reasoncode SECUREBOOT::RC_SECROM_INVALID + * @devdesc Valid securerom not present + * @custdesc Security failure occurred during the IPL of + * the system. + */ + l_errl = new ERRORLOG::ErrlEntry( ERRORLOG::ERRL_SEV_UNRECOVERABLE, + SECUREBOOT::MOD_SECURE_ROM_INIT, + SECUREBOOT::RC_SECROM_INVALID); + l_errl->collectTrace(SECURE_COMP_NAME,ERROR_TRACE_SIZE); + break; + } } - TRACDCOMP(g_trac_secure,"SecureRomManager::initialize(): SecureROM valid, enabling functionality"); + TRACFCOMP(g_trac_secure,"SecureRomManager::initialize(): SecureROM valid, enabling functionality"); #ifdef CONFIG_CONSOLE CONSOLE::displayf(SECURE_COMP_NAME, "SecureROM valid - enabling functionality"); #endif @@ -281,12 +310,11 @@ errlHndl_t SecureRomManager::verifyContainer(void * i_container, do{ // Check if secureboot data is valid. - if (!iv_secureromValid) + if (!secureRomValidPolicy()) { // Can skip the rest of this function break; } - // Check to see if ROM has already been initialized // This should have been done early in IPL so assert if this // is not the case as system is in a bad state @@ -393,7 +421,7 @@ void SecureRomManager::hashBlob(const void * i_blob, size_t i_size, SHA512_t o_b TRACDCOMP(g_trac_secure,INFO_MRK"SecureRomManager::hashBlob()"); // Check if secureboot data is valid. - if (iv_secureromValid) + if (secureRomValidPolicy()) { // Check to see if ROM has already been initialized // This should have been done early in IPL so assert if this @@ -426,7 +454,7 @@ void SecureRomManager::hashConcatBlobs(const blobPair_t &i_blobs, SHA512_t o_buf) const { // Check if secureboot data is valid. - if (iv_secureromValid) + if (secureRomValidPolicy()) { std::vector<uint8_t> concatBuf; for (const auto &it : i_blobs) @@ -443,9 +471,24 @@ void SecureRomManager::hashConcatBlobs(const blobPair_t &i_blobs, } } -bool SecureRomManager::isValid() +bool SecureRomManager::secureRomValidPolicy() const { - return iv_secureromValid; + bool l_policy = true; + if (bestEffortPolicy()) + { + // Set policy based on secure ROM status + l_policy = iv_secureromValid; + } + else + { + // Assert secure rom is valid in this mode. + // The initialize function should have created an error log already if + // this case is false, so this code path should not be hit. + assert(iv_secureromValid==true, "SecureRomManager cannot operate with invalid secure rom"); + l_policy = true; + } + + return l_policy; } /******************** @@ -458,7 +501,7 @@ bool SecureRomManager::isValid() void SecureRomManager::getHwKeyHash() { // Check if secureboot data is valid. - if (iv_secureromValid) + if (secureRomValidPolicy()) { iv_key_hash = reinterpret_cast<const SHA512_t*>( g_BlToHbDataManager.getHwKeysHash()); @@ -471,7 +514,7 @@ void SecureRomManager::getHwKeyHash() void SecureRomManager::getHwKeyHash(SHA512_t o_hash) { // Check if secureboot data is valid. - if (iv_secureromValid) + if (secureRomValidPolicy()) { memcpy(o_hash, iv_key_hash, sizeof(SHA512_t)); } diff --git a/src/usr/secureboot/base/securerommgr.H b/src/usr/secureboot/base/securerommgr.H index bf8812342..b221d2c10 100644 --- a/src/usr/secureboot/base/securerommgr.H +++ b/src/usr/secureboot/base/securerommgr.H @@ -97,11 +97,13 @@ class SecureRomManager void hashConcatBlobs (const blobPair_t &i_blobs, SHA512_t o_buf) const; /* - * @brief Getter for private "is valid" variable + * @brief Determines if best effort policy is enabled and allowed when + * SecureROM is invalid. + * Asserts secure rom is valid if bestEffortPolicy is false * - * @return bool - True if valid, false otherwise + * @return bool - True if enabled, false otherwise */ - bool isValid(); + bool secureRomValidPolicy() const; /* * @brief Get offset of function from the start of the SecureROM diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C index 6d0bf8ff3..98a750c98 100644 --- a/src/usr/secureboot/base/service.C +++ b/src/usr/secureboot/base/service.C @@ -92,13 +92,8 @@ void* initializeBase(void* unused) do { - - // Load original secureboot header. - if (enabled()) - { - Singleton<Header>::instance().loadSecurely(); - } - + // SecureROM manager verifies if the content necessary for secureboot in + // the BltoHbData is valid or not. So initialize before anything else. // Don't enable SecureRomManager in VPO #ifndef CONFIG_P9_VPO_COMPILE @@ -109,6 +104,12 @@ void* initializeBase(void* unused) break; } #endif + + // Load original secureboot header. + if (enabled()) + { + Singleton<Header>::instance().loadSecurely(); + } } while(0); return l_errl; @@ -121,6 +122,11 @@ bool enabled() } #endif +bool bestEffortPolicy() +{ + return Singleton<Settings>::instance().getBestEffortPolicy(); +} + errlHndl_t getSecuritySwitch(uint64_t& o_regValue, TARGETING::Target* i_pProc) { return Singleton<Settings>::instance().getSecuritySwitch(o_regValue, @@ -177,6 +183,9 @@ void handleSecurebootFailure(errlHndl_t &io_err, bool i_waitForShutdown) HWAS::SRCI_PRIORITY_HIGH); // Add Security related user details + // @TODO RTC: 176134 A chain of calls leads to a portion of code in the ext + // img. If we get an HBI page verify failure and the ext + // image is corrupted, we will hang. addSecureUserDetailsToErrolog(io_err); io_err->collectTrace(SECURE_COMP_NAME,MAX_ERROR_TRACE_SIZE); diff --git a/src/usr/secureboot/base/settings.C b/src/usr/secureboot/base/settings.C index 078b9e1ed..0e2e2ea02 100644 --- a/src/usr/secureboot/base/settings.C +++ b/src/usr/secureboot/base/settings.C @@ -101,6 +101,21 @@ namespace SECUREBOOT securitySwitchValue,cbsValue); } #endif + +#ifdef CONFIG_SECUREBOOT_BEST_EFFORT + iv_bestEffortPolicy = true; +#else + if (iv_enabled) + { + iv_bestEffortPolicy = false; + } + else + { + iv_bestEffortPolicy = true; + } +#endif + SB_INF("getBestEffortPolicy() state:%i",iv_bestEffortPolicy); + printk("SECUREBOOT::bestEffortPolicy() state:%i\n", iv_bestEffortPolicy); } bool Settings::getEnabled() const @@ -108,6 +123,11 @@ namespace SECUREBOOT return iv_enabled; } + bool Settings::getBestEffortPolicy() const + { + return iv_bestEffortPolicy; + } + errlHndl_t Settings::getJumperState(SecureJumperState& o_state, Target* i_pProc) const { @@ -364,5 +384,4 @@ namespace SECUREBOOT return l_errl; } - } diff --git a/src/usr/secureboot/runtime/test/testsecureboot_rt.H b/src/usr/secureboot/runtime/test/testsecureboot_rt.H index a7bd93830..6d63b4fd7 100644 --- a/src/usr/secureboot/runtime/test/testsecureboot_rt.H +++ b/src/usr/secureboot/runtime/test/testsecureboot_rt.H @@ -42,6 +42,8 @@ #include "common/securetrace.H" #include <secureboot/service.H> #include <secureboot/settings.H> +#include <pnor/pnorif.H> +#include <pnor/pnor_reasoncodes.H> class SecurebootRtTestSuite: public CxxTest::TestSuite { @@ -158,6 +160,66 @@ class SecurebootRtTestSuite: public CxxTest::TestSuite SB_EXIT("SecurebootRtTestSuite::testBaseInterfaces"); } + void testAccessSecurePnorSection() + { + SB_ENTER("testAccessSecurePnorSection"); + + errlHndl_t l_err = nullptr; + PNOR::SectionId l_id = PNOR::OCC; + PNOR::SectionInfo_t l_info; + + // Ensure we cannot read secure sections from PNOR at Runtime + l_err = PNOR::getSectionInfo(l_id, l_info); + if(l_err) + { + if (l_err->reasonCode() == PNOR::RC_RTPNOR_INVALID_SECTION) + { + delete l_err; + l_err = nullptr; + } + else + { + TS_FAIL("testAccessSecurePnorSection: unexpected reason code for Secure Section %s. Expected RC 0x%.4X Actual RC 0x%.4X", + PNOR::SectionIdToString(l_id), + PNOR::RC_RTPNOR_INVALID_SECTION, + l_err->reasonCode()); + errlCommit(l_err, SECURE_COMP_ID); + } + } + else + { + TS_FAIL("testAccessSecurePnorSection: Did not catch illegal PNOR access of Secure Section %s", + PNOR::SectionIdToString(l_id)); + } + + l_id = PNOR::HB_EXT_CODE; + l_err = PNOR::getSectionInfo(l_id, l_info); + if(l_err) + { + if (l_err->reasonCode() == PNOR::RC_RTPNOR_INVALID_SECTION) + { + delete l_err; + l_err = nullptr; + } + else + { + TS_FAIL("testAccessSecurePnorSection: unexpected reason code for Secure Section %s. Expected RC 0x%.4X Actual RC 0x%.4X", + PNOR::SectionIdToString(l_id), + PNOR::RC_RTPNOR_INVALID_SECTION, + l_err->reasonCode()); + errlCommit(l_err, SECURE_COMP_ID); + } + } + else + { + TS_FAIL("testAccessSecurePnorSection: Did not catch illegal PNOR access of Secure Section %s", + PNOR::SectionIdToString(l_id)); + } + + + SB_EXIT("testAccessSecurePnorSection"); + } + private: |
